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Abstract 

We  show  the  use  of  a  reconhgurable  computer  in  computing  the  correlation  immunity  of 
Boolean  functions  of  up  to  6  variables.  Boolean  functions  with  high  correlation  immunity  (in 
addition  to  other  cryptographic  properties)  are  desired  in  cryptographic  systems  because  they 
are  immune  to  correlation  attacks.  The  SRC-6  reconfigurable  computer  was  programmed  in 
Verilog  to  compute  the  correlation  immunity  of  functions.  This  computation  is  performed 
at  a  rate  that  is  190  times  faster  than  a  conventional  computer. 

Our  analysis  of  the  correlation  immunity  is  across  all  n-variable  Boolean  functions,  for 
2  <  n  <  6,  thus  obtaining,  for  the  first  time,  a  complete  distribution  of  such  functions.  We 
also  compare  correlation  immunity  with  two  other  cryptographic  properties,  nonlinearity  and 
degree. 

Keywords,  reconfigurable  computer,  configurable  computing,  cryptographic  Boolean  func¬ 
tions,  correlation  immunity,  rotation  symmetric  Boolean  functions 


1  Introduction 

The  correlation  immunity  of  a  Boolean  function  measures  the  extent  the  variable  values  can  be 
guessed  given  the  function  value.  When  Boolean  functions  are  used  in  encryption,  functions 
with  high  correlation  immunity  (along  with  other  cryptographic  properties)  are  preferred,  since 
they  are  less  susceptible  to  an  attack  than  functions  with  low  correlation  immunity.  Interest  in 
this  topic  developed  because  Siegenthaler  [28]  in  1984  showed  how  an  attack  can  be  effectively 
applied  to  encryption  systems  using  functions  with  low  correlation  immunity. 

Correlation  immune  (Cl)  functions  are  also  used  in  machine  learning  (see  [1,  22]):  a  “greedy” 
method  to  obtain  a  decision  tree  representation  of  a  Boolean  function  given  just  a  set  of  input- 
output  pairs  proceeds  by  choosing  (recursively)  a  node  of  the  tree  to  maximize  a  cost  indicator 
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(information  gain).  However,  if  the  function  happens  to  have  non-zero  correlation  immunity,  this 
cost  function  is  zero  and  thus  not  useful;  i.e. ,  a  decision  tree  representation  cannot  be  obtained 
in  the  case  of  a  function  that  has  non-zero  correlation  immunity.  Since  most  n- variable  functions 
have  zero  correlation  immunity  for  n  >  2,  the  greedy  method  works  for  most  functions. 

We  show  that  a  reconfigurable  computer  is  effective  in  enumerating  Boolean  functions  accord¬ 
ing  to  their  correlation  immunity.  Especially,  we  can  compare  Boolean  functions  with  respect  to 
various  cryptographic  properties,  including  nonlinearity  and  degree  due  to  prior  use  of  a  recon¬ 
figurable  computer  in  computing  these  cryptographic  properties  [27].  Since  Rothaus’  original 
paper  on  bent  functions  in  1976  [23],  there  has  been  much  work  on  the  cryptographic  properties 
of  Boolean  functions  [11].  Such  properties  include  strict  avalanche  criterion  [14,  30],  propagation 
criteria  [20],  and  algebraic  immunity  [9,  10].  We  have  previously  shown  a  60,000  x  speed-up  in 
using  a  reconfigurable  computer  to  compute  bent  functions  [27]. 

2  Some  definitions 

In  this  paper,  we  use  the  Landau  symbol  O  with  its  usual  meaning.  Specifically,  /  =  O(g) 
means  |/(x)|  <  c\g(x)\  holds  with  some  constant  c,  for  x  sufficiently  large.  Also,  we  write  /  ~  g 

;f  Hm  /(g)  —  1 

n  um^oo  —  i- 

Let  F2  be  the  prime  field  of  characteristic  2.  For  any  positive  integer  n,  the  set  [n]  := 
{l,...,n}.  Let  F2  =  {x  =  (xi,...,xn)  :  x*  €  F2,  for  all  i  €  [n]}  be  the  vector  space  of 
dimension  n  over  F2.  Any  function  from  F?f  to  F2  is  said  to  be  a  Boolean  function  on  n  variables, 
whose  set  is  denoted  by  23n.  Addition  over  F2  and  F1J  are  both  denoted  by  ©  whereas  addition 
over  integers  is  denoted  by  +.  For  any  x  G  F£ ,  the  weight  of  x  is  wt(x)  =  ^”=1  xt.  The  algebraic 
normal  form  (ANF)  of  a  Boolean  function  /  G  23  n  is 

fix  1,  •  • . ,  xn)  =  0  Max"1  . . .  x“", 

a=(ai,...,a„)eFJ 

where  pa  £  F2 ,  for  all  a  G  F1J ,  and  where  x“*  =  1  if  o*  =  0  and  x“!  =  Xj  if  a.;  =  1.  The  algebraic 
degree  of  /  is  deg (/)  =  max{wt(a)  :  /xa  /  0}.  The  Fourier  transform  or  the  Fourier  coefficient 

agFJ 

of  /  G  23n  at  u  6  Fj  is 

/(u)  =  2-"  ]T(-l/M(-l)ux, 

xeFj 

where  u  •  x  =  ®"=1  UiXi  is  the  inner  product  of  u  =  (m, . . . ,  un)  and  x  =  (xi, . . . ,  xn).  The 
Walsh-Hadamard  transform  of  /  G  23n  at  u  G  Fj  is  W/(u)  =  2n/(u). 

The  set  of  Fourier  coefficients  {/( u)  :  u  G  Fg}  is  said  to  be  the  Former  spectrum  of  /. 
The  set  of  Walsh-Hadamard  coefficients  [Wf(u)  :  u  G  F^}  is  said  to  be  the  Walsh-Hadamard 
spectrum  of  /.  These  transforms  are  invertible,  that  is,  for  all  x  G  F2 , 

(_i)/w  =  2-”  £  wytuK-i)-*  =  ^  7(“)(-1)ux 

u£Fj  uSFJ 

The  Walsh-Hadamard  spectrum  of  any  Boolean  function  /  G  23n  is  constrained  by  Parseval’s 
identity 

£w-/(  u)2  =  22T  (1) 

ueFj 
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Since,  it  will  be  used  later,  we  introduce  below  the  2n  x  2n  Walsh-Hadamard  matrix  Hn  = 
((-i)s<i)-iu))„<^<2._1  wo  is  the  binary  expansion  of  i  written  as  a  vector  with  n  components) , 


or  inductively,  H\  =  (1),  H-2  = 


1  1 
1  -1 


and,  in  general,  Hn  =  H\  ®Hn_ i  = 


Hn— i  Hn—\ 
Hn—  1  Hn—  i 


(’<8>’  is  the  Kronecker  product).  It  is  known  that  IT/  =  Hn(—ly. 

The  weight  of  a  Boolean  function  is  the  weight  of  its  truth  (output)  table.  An  n-variable 
function  /  is  balanced  if  its  truth  table  has  as  many  0’s  as  l’s,  that  is,  its  weight  is  exactly  2n~1. 


Example  1.  The  weight  of  the  AND  function  /(x)  =  x\X2  ■  ■  ■  xn  is  1.  The  weight  of  the 
exclusive  OR  function  /(x)  =  x\  ©  X2  ©  •  •  •  ©  xn  is  2n~1 .  The  exclusive  OR  function  is  balanced. 


An  n-variable  function  /  has  correlation  immunity  of  order  0  <  k  <  n  if  and  only  if,  for 
every  fixed  set  S'  of  A:  variables,  and  for  every  assignment  of  values  to  the  variables  in  S,  the 
weights  of  all  subfunctions  are  the  same.  An  n-variable  function  /  is  resilient  of  order  k  if  it  is 
balanced  and  has  correlation  immunity  of  order  k. 

An  n-variable  function  /  is  correlation  immune  if  and  only  if  its  correlation  immunity  k 
is  1  or  more.  An  ?r-variable  function  /  is  resilient  if  and  only  if  it  is  balanced  and  correlation 
immune.  When  a  function  has  correlation  immunity  (resiliency)  k  but  not  k  + 1,  we  will  describe 
such  a  function  as  exact  correlation  immune  (resilient)  of  order  k. 

The  following  result  characterizes  correlation  immunity  (resiliency)  (see  [11]). 

Theorem  1.  The  following  are  true. 


(i)  An  n-variable  function  f  has  correlation  immunity  (respectively,  resiliency)  of  at  least 
order  k  if  and  only  if  IT/ (a)  =  0,  for  all  a  6  F]  with  1  <  wt(a)  <  k  (respectively, 
0  <  wt(a)  <  k). 

(ii)  An  n-variable  function  f  has  correlation  immunity  of  at  least  order  k  if  and  only  if  f  © 
Xix  ©  Xi2  ©  •  •  •  ©  Xik  is  balanced  for  all  1  <  i\  <  . . .  <  ih  <  n. 

Correlation  immunity  describes  the  extent  to  which  the  variable  values  can  be  guessed,  given 
the  function  value.  A  function  that  has  low  correlation  immunity  is  the  AND  function  on  n  >  1 
variables.  For  example,  if  this  function’s  output  value  is  1,  then  the  input  variable  values  are 
(x\,X2,  ■  ■  ■ ,  xn)  =  (1, 1, . . . ,  1)  with  probability  100%.  On  the  other  hand,  when  this  function’s 
output  value  is  0,  there  is  a  large  uncertainty  as  to  which  variable  values  caused  this  (from 
among  2n  —  1  values).  In  a  function  with  high  correlation  immunity,  knowing  the  function’s 
value  yields  an  equal  uncertainty  as  to  the  variables’  values  that  produced  that  function’s  value. 
For  example,  in  the  exclusive  OR  function  /  =  x\  ©  X2  ©  •  •  •  ©  xn,  half  of  the  assignments  of 
values  to  the  variables  yield  /  =  0  and  half  yield  /  =  1.  Therefore,  knowing  that  /  =  0  or  /  =  1 
yields  the  same  uncertainty  regarding  the  assignment  of  values  to  the  variables.  If  we  choose 
any  pair  of  variables  and  any  of  the  four  assignments  of  values  to  the  pair  (00,01,10,11),  we  also 
have  an  equal  uncertainty  as  to  which  of  the  remaining  assignments  yield  /  =  0  and  /  =  1. 

Consider  the  exclusive  OR  function  /  =  x\  ©  X2  ©  ■  •  •  ©  xn,  and  consider  a  subset  S  of 
1  <  k  <  n  variables.  By  symmetry,  these  might  as  well  be  the  last  k.  When  they  are  fixed, 
the  resulting  subfunction  is  either  x\  ©  •  •  •  ©  xn-k ,  or  its  complement.  Either  choice  has  weight 
2n-fc-i.  Therefore,  /  has  correlation  immunity  of  order  k.  Note,  however  that  it  does  not  have 
order  n  correlation  immunity,  because,  by  fixing  the  (unique)  set  of  variables  of  cardinality  n, 
the  function  becomes  constant  (either  0, 1),  which  are  evidently,  not  balanced.  It  follows  that 
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this  function  has  exact  correlation  immunity  of  n  —  1.  We  shall  see  later  that  the  algebraic 
degree  and  immunity  are  constrained. 

We  recall  here  that  a  barbell  function  is  the  function  X\X2  •  •  •  xn  ©  x\X2  •  •  •  xn  or  its  com¬ 
plement.  A  threshold  function  is  a  function  fw.r  such  that  /w,t(x)  is  1  if  the  weighted  sum 
Y^i= i  WiXi  >  T,  where  Xi  is  viewed  as  an  integer  equal  to  its  logic  value  and  Wi  and  T  are  real 
numbers.  The  Achilles  heel  function,  /  =  x\X2  ©  £3x4  ©  •  •  •  ©  xn/2-\Xn/2 ,  for  n  even,  is  known 
to  have  a  binary  decision  diagram  whose  number  of  nodes  is  especially  sensitive  to  the  ordering 
of  its  variables  [3]. 

Table  1  shows  the  correlation  immunity  of  several  example  functions,  including  the  barbell, 
threshold,  and  Achilles  heel  functions.  Since  functions  with  odd  l’s  all  have  correlation  immunity 
0,  more  than  one-half  of  the  Boolean  functions  have  correlation  immunity  0. 


Table  1:  Correlation  immunity  of  some  example  n- variable  Boolean  functions. 


Function 

Description 

Expression 

Correlation 

Immunity 

Constant  Functions 

s 

II 

0 

II 

1 — 1 

n 

Parity  Functions 

/  =  X\  ©  X2  ©  •  •  •  ©  xn,  f  ©  1 

n  —  1 

Barbell  Functions 

/  =  X1X2  ■■■Xn®  X1X2  ■■■ Xn ,  /  ©  1 

1 

Functions  With  Odd  Weight 

e.g.,  /  =  X\X2  ■■  -  Xn,  f  =  x\  V  X2  V  •  •  •  V  Xn 

0 

Threshold  Functions 

e.g.,  /  =  X1X2  V  X1X3  V  x2x3 

0 

Achilles  Heel  Function 

/  =  X1X2  ©  X3X4  ©  •  •  •  ©  xn/2-iXn/2,  n  even,  /  ©  1 

0 

In  applying  the  definition  of  the  correlation  immunity  to  determine  the  correlation  immunity 
of  a  given  function,  it  was  convenient  to  specify  a  two-step  process.  In  the  first  step,  we  specify 
that  a  condition  hold  for  all  AZ-subsets  of  variables.  In  the  second  step,  we  specify  that  a  condition 
hold  across  all  assignments  of  values  to  the  variables  chosen  in  the  first  step.  For  pedagogical 
reasons,  we  could  view  this  as  a  one-step  process.  That  is,  we  could  think  of  simultaneously 
choosing  a  AZ-subset  and  some  assignment  of  values  to  the  variables.  In  this  way,  we  produce 
one  of  the  subfunctions  of  /.  The  definition  of  correlation  immunity  then  requires  that 

all  of  these  (^)2k'  subfunctions  have  the  same  weight.  The  maximum  k ’  for  which  this  is  true  is 
the  exact  correlation  immunity  of  the  function.  This  viewpoint  will  be  useful  in  the  description 
of  the  circuit  to  compute  correlation  immunity  in  Section  4. 

3  Some  results  on  the  number  of  correlation  immune  and  re¬ 
silient  functions 

Various  results  are  known  about  the  tradeoff  among  cryptographic  properties  involving  corre¬ 
lation  immunity.  For  example,  if  /  is  a  Boolean  function  in  n  variables  that  has  correlation 
immunity  of  order  k,  then  2k  divides  the  Hamming  weight  of  /.  Also,  if  /  is  a  Boolean  function 
in  n  variables,  that  has  correlation  immunity  of  order  k,  then  the  degree  d  of  /  is  at  most  n—k.  If 
further,  /  is  balanced  and  correlation  immune  of  order  1  or  more  (hence,  resilient)  and  k  <  n  —  1, 
then  the  degree  of  /  is  at  most  n—k  —  1.  Other  more  esoteric  results  exist,  like  the  fact  that 
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if  /  has  correlation  immunity  k,  then  the  algebraic  normal  form  (positive  polarity  Reed-Muller 
form)  of  /  either  has  no  terms  of  degree  n  —  k  or  has  all  possible  terms  of  degree  n  —  k. 

Camion  et  al.  [4]  attempted  a  nice  recursive  approach  for  the  construction  of  a  resilient 
function  /  on  n  +  1  variables.  It  is  based  on  the  Shannon  decomposition  of  a  Boolean  function 
/,  where  /  =  xnf0  V  xnfi,  such  that  /0  =  / |o-»-x„  and  /i  =  /|i_».x„.  A  Boolean  function  is 
(k  +  l)-resilient  if  and  only  if  the  following  two  conditions  hold: 

(i)  /o  and  f\  are  resilient  functions  of  order  k\ 

(ii)  for  all  n  component  vectors  v  of  weight  k  +  1,  the  Walsh-Hadamard  transform  equation 
W/o(v)  +  Wf1(v)  =  0  holds. 

Also,  if  the  degrees  of  /,  /o  and  f\  are  equal  (so,  deg(/o  0  /i)  <  deg (/),  because  otherwise,  we 
would  have  deg(/o  +  /i)  =  deg (/),  but  that  is  impossible  since  f  =  fo  +  xn(fo  +  /i)  and  so,  / 
would  increase  its  degree),  then  /  has  its  maximum  degree  n  +  1  —  (k  +  2)  if  and  only  if  /o  and 
fi  have  their  maximum  degree  n  —  (k  +  1). 

Improving  upon  an  interesting  result  obtained  by  Sarkar  and  Maitra  [24],  Carlet  [6]  showed 
the  following  theorem. 

Theorem  2  ([6,  24]).  If  a  degree  d>  1,  n-variable  function  f  has  correlation  immunity,  respec¬ 
tively,  resiliency  of  order  k,  then  its  Walsh-Hadamard  coefficients  are  divisible  by  2fc+1+L  d  1, 
respectively,  2fc+2+L  s  J.  Moreover,  the  nonlinearity  Nf  of  an  order  k  correlation  immune, 
respectively,  resilient  function  f  satisfies 

2fc+L  d  1  |  Nf  <  2n~1  —  2k,  respectively, 

2fc+i+l"  d  ‘J  |  Nf  <  2n~1  —  2k+l . 

This  easily  implies  that  functions  whose  correlation  immunity  is  at  least  1  have  even  nonlin¬ 
earity,  and  if,  in  addition,  they  are  balanced,  their  nonlinearity  is  divisible  by  4. 

Let  CI(n,k )  (respectively,  BCI(n,k ))  be  the  number  of  exact  order  k  correlation  im¬ 
mune,  (respectively,  further  balanced)  n- variable  Boolean  functions.  The  notations  CI(n,k,d), 
BCI(n ,  k,d)  restricts  the  previous  count  to  degree  d  Boolean  functions. 

Theorem  3.  The  following  are  true: 

(i)  BCI(n,  n,  0)  =  0,  CI(n,  n,  0)  =  2,  CI(n,  k,  1)  =  BCI{n ,  k,  1)  =  2(fc”1) ,  0  <  k  <  n  —  1. 

(**)  BCI(n,n-  2)  =  2(n^)  =  2 n. 

(Hi)  BCI(n,  n  -  3)  =  "("-i)(^-2)(n+D  +  2(^  _ 

(iv)  BCI(n,  k,d)  =  0,  if  n  >  (n  —  k  —  \)2d~l;  in  particular,  BCI(n,  k,  2)  =  0,  for  all  k  > 

(v)  CI(n ,  n  —  I,  2)  =  0,  if  n  >  Ak  —  5;  in  particular,  CI(n,  n  —  2,  2)  =  0,  if  n  >  3. 

Proof.  We  first  show  (i).  Let  /  be  an  affine  function,  /(x)  =  ®“=1  CjXj0c,  c,,  c  G  F2.  Certainly, 
correlation  immunity  is  preserved  by  complementation.  So,  from  here  on,  we  always  assume 
that  the  constant  c  =  0.  We  next  take  K  to  be  the  exact  number  of  nonzero  coefficients,  say 
Cj .  =  1, 1  <  j  <  K.  If  K  =  0,  then  /  is  constant  (hence,  non-balanced)  and  we  see  that  the 
constant  functions  1,  0  are  correlation  immune  of  order  n. 
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If  K  >  0,  then  /  is  balanced.  So,  the  number  of  correlation  immune  functions  of  whatever 
order  will  match  the  number  of  resilient  functions  of  the  same  order.  Using  Theorem  1,  we  see 
that  /  is  not  correlation  immune  (resilient)  of  order  K ,  since  /  ©  ©  •  ■  •  ©  XiK  =  0.  Hence, 

/  is  not  balanced.  However,  /  is  correlation  immune  (resilient)  of  order  k  :=  K  —  1,  since  then 
/  ©  €)  •  •  ■  ©  Xij  =  0,  j  <  K  —  1  will  be  nonzero  and  linear,  hence  balanced.  There  are  (fc”1) 

ways  of  choosing  the  nonzero  coefficients,  and  (i)  follows.  Certainly,  (ii)  follows  by  the  same 
argument,  since  we  know  that  a  function  that  is  resilient  of  order  n  —  2  must  have  degree  <  1. 

Next,  the  first  term  from  claim  (Hi)  was  found  in  [4]  and  counts  the  number  of  resilient 
of  order  n  —  3  quadratic  Boolean  functions.  The  second  term  corresponds  to  affine  resilient 
functions  of  order  n  —  3,  and  follows  from  (i). 

The  item  ( iv )  is  [29,  Theorem  5  and  Theorem  7].  Next,  we  show  (v).  We  recall  the  interesting 
upper  bound  of  Tarannikov  et  al.  [29]  for  the  correlation  immunity  order  k  of  an  unbalanced 
Boolean  function  in  n  variables,  namely 


k  < 


3n  —  5 
4 


(2) 


For  k  :=  n  —  2,  n  >  4,  this  would  imply  n  —  2  <  3n^~5,  which  contradicts  n  >  4,  and  this 
shows  that  there  are  no  unbalanced  quadratic  Boolean  functions  that  are  correlation  immune 
of  order  k.  If  /  is  balanced  and  correlation  immune  of  order  n  —  2,  then  we  can  apply  (iv),  or 
observe  that  the  degree  of  /  cannot  exceed  1  and  so,  /  cannot  be  quadratic.  □ 


Remark  4.  Bierbrauer  and  Friedman  [2,  15]  found  the  following  bound  on  the  Hamming  weight 
of  a  function  f  that  is  correlation  immune  of  order  k 


wt(f)  >  2 ' 


,2(k  +  1)  —  n 
2(k  +  1)  ’ 


which  gives  further  constraints  on  the  parameters  of  a  correlation  immune  Boolean  function. 


Denisov  [12]  found  that  the  number  of  n-variable  correlation  immune  functions  of  order  k, 
say  CI(n,k),  is  asymptotically 

CI(n,  k)  ~  22ri+Q-k(2n~17 r)-^-1)/2, 

where  M  =  ^j=0  (")  and  Q  =  X^'=i  j  (")  •  Denisov  published  a  “correction”  in  2000  (see  [13]), 
but  it  turns  out  that  his  original  result  was  correct  and  the  latter  paper  is  incorrect,  as  was 
shown  by  Canfield  et  al.  [5].  For  k  =  1,  one  can  get  a  simpler  estimate 

CI(n,  1)  ~  Dn  =  ^  f ^  22’1-"-2/2,  as  n  — >  oo. 


A  more  refined  version  of  the  approximation  for  CI(n,  1)  was  computed  by  Bach  [1] 

CI(n,l)=Dn(l-Fk  +  o(H)). 


Denisov  [12]  also  showed  that  the  number  BCI(n,k)  of  balanced  and  correlation  immune  (re¬ 
silient)  functions,  satisfies  the  asymptotic  formula 

BCI(n,  k)  ~  22"-(fc)(n-fc)/2(2/7r)M/2,  as  n  — >  oo, 
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where  M  =  Yl'j=o  (”)  • 

There  are  various  results  concerning  bounds  on  the  number  of  correlation  immune  and/or 
resilient  functions  and  the  interested  reader  can  find  some  in  the  listed  references  (or  elsewhere) . 
Also,  Yang  and  Guo  [31]  found  in  1995  that  the  number  of  correlation  immune  functions  of 
order  1  is  upper  bounded  by 


CI(n,l)<  EE 

k= 0  r=0 


2n 

r 


—  2\2 


1—2  \  2 


k  —  r 


Le  Bars  and  Viola  [16]  found  a  lower  bound  for  the  number  of  resilient  Boolean  functions  of 
order  1,  namely 

BCI(n,  1)  >  22n-n2+in+1e3-n(n7r)n/2. 

A  quick  analysis  of  this  lower  bound  gives  us  a  ‘glimpse’  at  the  complexity  of  completely  enu¬ 
merating  all  resilient  functions  for  n  =  6,  7:  if  n  =  6  there  are  more  than  242'77,  and  for  n  =  7, 
there  are  more  than  296'72  resilient  Boolean  functions.  By  using  a  construction  of  a  resilient  of 
order  k  function  in  n  variables  from  a  resilient  of  order  1  in  n  —  k  +  1  variables,  Le  Bars  and 
Viola  found  (for  free)  the  following  lower  bound  for  the  number  of  resilient  of  order  k  functions 

BCI(n,  k)  >  22”— fc+1— (n— fc+l)2+!(n— k+l)+lek- n-  _k  +  !)„■)("— fc+11/2^ 


which  can  be  combined  with  Schneider’s  bound  [25,  26]  for  0  <  k  <  n, 

n—k 


BCI(n,  k )  <  J] 

3=1 


2J 

23-1 


Ck-l1) 


The  previous  bound  is  rather  weak  for  high  order  of  resiliency,  and  it  was  slightly  improved  by 
Carlet  and  Klapper  [8],  who  showed  that  BCI(n ,  k)  is  upper  bounded  by 


v— m  — fc—  1  ( n\  'r-^n  —  k  —  2  f  n\ 

2^i=o  v  i)  —  2^*=o  u  J 


222fc  +  !  — 1 


+ 


X^n  —  k  —  2  ( n\ 
2^i=0  \i) 


2i+Er=-ofc“1 0-Esf-1  (Y)(i  +  e)  +  2Er=-ofc“2  C),e  =  2-n((2Vn)i/2)> 


for  2  <  k  <  n/2 
for  n/2  <  k  <  n 


and  Carlet  and  Gouget  [7],  who  showed  that  BCI(n,k)  is  upper  bounded  by 


X^n  —  k  —  2  ( n\ 

2/^i=Q  U  J 


+  2" 


(  fc+i 

\n  —  k  —  1 


n  \ 
n  —  k  —  lj 


n—k 


n 


(n-j-l\ 

/  23  y  fc-i  > 

U'-  V 


We  further  point  to  [18]  for  an  alternative  representation  of  resilient  functions. 

Unfortunately,  all  of  these  bounds,  and  asymptotics  for  n  — >  oo,  simply  estimate  counts  of 
the  correlation  immune  and  resilient  functions.  They  say  nothing  about  the  size  of  the  afore¬ 
mentioned  sets  for  a  small  number  of  variables  n.  Indeed,  there  are  no  known  expressions  for 
the  exact  counts  CI(n,  k)  and/or  BCI(n,  k )  for  n  >  6  (and  all  k  >  1).  We  show  that  a  reconfig- 
urable  computer,  combined  with  the  theoretical  results  can  tractably  compute  the  correlation 
immunity  of  functions  exhaustively  along  with  other  cryptographic  properties.  Thus,  we  can 
compare  their  correlation  immune/resilient  properties,  and  compare  against  other  cryptographic 
properties,  such  as  nonlinearity  and  degree. 
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computing  correlation  immunity.  Figure  2:  Breakdown  of  correlation 


immunity  computation  circuit. 

4  Computation  of  correlation  immunity 

A  Verilog  program  was  written  to  compute  the  correlation  immunity  of  Boolean  functions  on  the 
SRC-6  reconfigurable  computer.  Because  of  the  large  logic  resources  available,  it  was  possible 
to  implement  the  correlation  immunity  computation  for  one  function  per  clock  period.  With 
a  clock  frequency  of  100  MHz,  we  can  compute  a  function’s  correlation  immunity  at  a  rate  of 
100,000,000  functions  per  second.  Later,  we  compare  this  to  a  conventional  processor. 

Fig.  1  shows  a  block  diagram  of  correlation  immunity  computation  circuit.  The  block  on  the 
left  labeled  “Function  Generator”  generates  the  truth  table  of  the  function  whose  correlation 
immunity  is  currently  being  computed.  When  this  circuit  is  used  in  exhaustive  enumeration,  the 
Function  Generator  is  an  up  counter.  The  block  labeled  “Correlation  Immunity”  is  a  combina¬ 
torial  logic  circuit  whose  input  is  the  truth  table  of  a  function  and  whose  output  is  the  value  of 
its  exact  correlation  immunity.  The  oval  labeled  “Update  Cl  Counter”  represents  that  part  of 
the  system  that  records  the  correlation  immunity.  It  records  each  contribution  to  the  histogram 
of  the  number  of  functions  with  various  values  of  correlation  immunity. 

Fig.  2  shows  a  block  diagram  of  the  combinatorial  logic  block  in  Fig.  1  labeled  “Correlation 
Immunity” .  The  truth  table  of  the  function  under  test  is  applied  on  the  left  to  n  blocks  labeled 
“k  =  a?” ,  where  1  <  a  <  n.  Each  block  tests  whether  the  function  has  correlation  immunity  a 
and  produces  a  1  if  and  only  if  the  function  has  correlation  immunity  a.  This  output  is  applied 
to  a  priority  encoder  that  produces  at  its  output  a  value  that  is  the  largest  a  such  that  the  block 
labeled  ilk  =  a?”  produces  a  1.  m,  the  number  of  lines  in  the  output  bus  labeled  “fc”  is  [log2  n] 
and  represents  the  number  of  bits  needed  to  represent  a  number  between  0  and  n. 

Fig.  3  shows  the  circuit  that  realizes  the  uk  =  ct?”  circuit  in  Fig.  2.  The  line  of  blocks  on 
the  left  are  circuits  that  separate  out  the  /^-subsets  of  variables.  The  blocks  near  the  center 
extract  the  truth  table  of  the  subfunctions  associated  with  assigning  all  combinations  of  values 
to  the  variables  in  each  subset.  Then,  the  blocks  labeled  “Ones  Count”  to  the  right  compute 
the  weight  of  each  subfunction.  Then,  the  single  block  on  the  right  produces  at  is  output  a  1  if 
and  only  if  all  weights  are  the  same.  This  drives  the  “k  =  a?”  output. 

5  Meet  in  the  middle  algorithm 

In  this  section,  we  describe  an  algorithm  that  can  count  the  n-variable  /c-correlation  immune 
functions,  using  22"  +°in)  time  and  space.  Effectively,  n  is  reduced  by  1  but  a  high  price  is 

paid  in  memory.  This  makes  it  unsuitable  for  a  reconfigurable  computer,  such  as  the  SRC-6.  It 


Figure  3:  Correlation  immunity  circuit. 

did  serve,  however,  for  completing  the  analysis  for  n  =  6.  This  algorithm  is  described  in  [17], 
but  only  briefly,  so  we  elaborate  here. 

Recall  that  the  conditions  for  ^-immunity  ((i)  of  Theorem  1)  are  linear.  Therefore,  we  can 
split  our  truth  tables  in  two,  and  attempt  to  find  matching  left  and  right  halves. 

Let  m  =  n  +  Q)  +  ■  ■  ■  +  Qj)  •  From  the  Walsh- Hadamard  matrix,  extract  the  rows  indexed 
by  u  with  1  <  wt(u)  <  k,  to  form  W^k\  If  we  write  W ^  =  (A  B),  the  Walsh- Hadamard 
condition  for  fc-immunity  becomes  (A  B)(x  y)T ,  where  A,  B  are  m  X  2n~1  matrices  with  ±1 
entries,  and  the  column  vector  (x  y)T  is  the  truth  table  of  /  (in  ±1  form).  Equivalently,  the 
two  “signatures”  Ax  and  —By  must  match. 

Make  a  list  of  the  2n~l  pairs  (Tlx,  0)  and  another  list  of  the  2n~1  pairs  (—By,  1).  (The  “tag” 
(0  or  1)  indicates  which  matrix  the  pair  came  from.)  Sort  the  combined  lists  lexicographically. 
A  first  component  z  that  occurs  r  times  with  a  0  and  s  times  with  a  1  contributes  rs  to  the  count 
of  ^-correlation  immune  functions.  (If  we  append  x  and  y  to  the  pairs,  the  actual  functions 
could  be  produced  as  well.) 

Here  is  an  example.  Take  n  =  2  and  k  =  1.  Then,  A  =  (  \  7'  )  and  —B  =  (  71  ]  ). 

Applying  these  two  matrices  to  the  four  vectors  (±1,  ±l)r,  we  get  two  lists,  each  with  the  four 
vectors  (0,  ±2),  (±2,0).  Thus,  there  are  four  correlation  immune  functions  of  two  variables. 

To  get  fast  code,  we  can  use  the  following  idea.  If  a,  b  are  ±1  vectors  of  length  2n~1,  and 
u,  v  their  0/1  images  (under  the  map  that  sends  ±1  to  0  and  —1  to  1),  we  have 

2 71—1 

dibi  =  2n~l  —  2  wt(u  ®  v). 

i=  1 

For  the  last  factor,  bitwise  XOR  can  be  used,  followed  by  a  “l’s  count”  operation.  Since  our 
goal  is  only  to  find  matches,  the  rest  of  the  operations  can  be  skipped. 

Since  0  <  wt(u®  v)  <  2n~1,  the  information  payload  in  each  pair  (Ax,  0)  and  (—By,  1)  can 
be  stored  in  a  bit  string  of  length  mn  +  1,  if  encoded  in  a  straightforward  way. 

We  now  justify  the  time  and  space  claims  made  above.  For  the  Ax’s,  we  need  m22"  bitwise 
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XOR’s,  and  22"  1  l’s  counts.  The  same  number  is  needed  for  the  —  By’s.  If  we  assume  that 
there  are  instructions  for  XOR  and  l’s  count,  the  complexity  for  this  phase  of  the  algorithm  is 
0(m22"  ).  Then,  we  sort  the  combined  table  and  make  a  final  pass  to  count  the  matches.  With 

standard  in-place  sorting  algorithms,  this  costs  0( 22™  +n),  if  we  reckon  that  a  comparison  is 
one  step.  The  claimed  bounds  then  follow,  since  m  <  2n. 

If  the  machine  does  not  have  a  l’s  count  instruction,  this  can  be  done  in  software  at  a  cost 
of  0{n )  (remember  the  word  size  is  2n)  [21].  This  will  not  affect  the  result. 

In  practice,  k  will  be  small,  since  the  ^-correlation  immune  functions  could  be  culled  from  a 
list  of  fc-immune  functions  with  k  >  t.  Also,  since  the  balance  condition  is  also  linear,  the  same 
idea  works  for  counting  fc-resilient  functions. 

We  implemented  three  variations  on  this  algorithm  for  n  =  6  to  do  specialized  counting  jobs. 

First,  to  count  the  2-correlation  immune  functions,  we  spread  the  work  over  about  729  proces¬ 
sors,  using  Wisconsin’s  Condor  distributed  computing  system.  Each  processor  was  responsible 
for  a  subset  of  x’s  and  a  subset  of  y’s,  and  selected  possible  matches  by  hashing  the  signatures. 
The  x’s  and  y’s  were  included  in  the  tuples,  making  it  possible  to  verify  alleged  matches.  For  our 
partition  of  the  data,  x  and  y  cannot  match  if  they  are  on  different  processors,  so  the  individual 
counts  found  by  the  processors  could  be  summed  at  the  end. 

Second,  we  counted  the  correlation  immune  functions  with  degree  <  4.  Applying  the  “esoteric 
result”  at  the  beginning  of  Section  2  to  n  =  6,  we  see  that  a  2-correlation  immune  function  has 
degree  <  5  if  and  only  if  its  ANF  omits  the  quintic  term  X1X2X3X4X5.  It  can  be  shown  that  this 
happens  if  the  “combed”  truth  table  (result  of  bitwise  AND  with  010101...)  has  even  Hamming 
weight.  This  is  another  linear  condition.  Rather  than  add  a  row  to  our  matrices,  however,  we 
just  treated  the  pairs  with  even  and  odd  combed  Hamming  weights  separately,  and  summed  the 
results.  Conveniently,  with  base  33  encoding,  the  signatures  fit  into  32  bits,  and  the  maximum 
imaginable  signature  (336  —  1)  was  small  enough  that  we  could  sort  by  counting. 

Finally,  we  counted  the  2-resilient  functions.  To  do  this,  we  used  Camion  et  al.’s  result  (see 
Section  2)  that  the  left  and  right  halves  of  any  2-resilient  truth  table  are  1-resilient.  Using  this 
criterion  as  a  filter,  we  made  a  table  of  2  BCI(5, 1)  (about  1.6  x  106)  tagged  signatures,  and 
then  sorted  it  to  get  the  desired  count.  By  Theorem  2,  all  Hamming  weights  are  even,  so  we 
stored  halved  weights  (which  cannot  exceed  16).  There  were  (®)  =  15  of  these,  since  we  only 
needed  weight  2  parities.  Using  base  17  encoding,  each  tagged  signature  fit  into  63  bits.  (Note 
that  1715  <  262.)  Therefore,  64  bit  integer  variables  could  be  used. 

6  The  computational  results 

Table  2  shows  the  distribution  of  n- variable  functions  by  exact  order  of  correlation  immunity,  for 
2  <  n  <  6.  This  table  clearly  shows  that  the  majority  of  functions  have  correlation  immunity  0. 
The  value  of  correlation  immunity  that  has  the  next  largest  number  of  functions  is  1.  Also,  Table 
2  shows  that,  for  all  values  of  n,  there  are  two  functions  with  correlation  immunity  n.  These  are 
the  constant  functions  /  =  0  and  /  =  1,  appearing  in  Table  1.  Table  2  also  shows  there  are  two 
functions  with  correlation  immunity  n—  1.  These  are  the  parity  functions  /(x)  =  xi©X20-  •  -®xn 
and  /(x)  =  1  ©  x\  ©  X2  ©  •  •  •  ©  xn,  also  shown  in  Table  1. 

The  complete  data  for  n  =  6  is  certainly  new.  We  can,  however,  sum  the  functions  with 
correlation  immunity  greater  than  0,  and  thus  derive  the  number  of  correlation  immune  func¬ 
tions.  The  result  is  shown  in  Table  3.  These  values  are  identical  to  those  computed  by  Palmer 
et  al.  [19])  and  Le  Bars  and  Viola  [16],  which  verifies  our  results.  The  number  of  correlation 
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Table  2:  Distribution  of  n-variable  functions  by  exact  correlation  immunity,  k,  for  2  <  n  <  6. 


n  /  k 

0 

1 

2 

3 

4 

5 

6 

2 

12 

2 

2 

0 

0 

0 

0 

3 

238 

14 

2 

2 

0 

0 

0 

4 

64888 

636 

8 

2 

2 

0 

0 

5 

4291827234 

3139004 

1044 

10 

2 

2 

0 

6 

18446240589943529428 

503483719470800 

46549718 

1654 

12 

2 

2 

immune  functions  for  n  =  7  is  also  known;  it  is  171522187398423323340476473786538  [16]. 
Table  3:  Number  of  n-variable  correlation  immune  and  resilient  functions,  for  2  <  n  <  6. 


n 

2 

3 

4 

5 

6 

Cor.  Imm. 

4 

18 

648 

3140062 

503483766022188 

Resilient 

2 

8 

222 

807980 

95259103924394 

Table  4  shows  the  distribution  of  n- variable  balanced  functions  to  exact  correlation  immunity, 
where  2  <  n  <  6.  This  data  is  similar  to  that  shown  in  Table  2,  except  that  it  applies  only  to 
balanced  functions  (whose  function  values  have  as  many  0’s  as  l’s).  Thus,  this  table  shows  only 
the  resilient  functions.  Note  that  there  are  no  resilient  functions  with  correlation  immunity  n. 
The  only  possible  candidates  are  the  constant  functions  in  in  Table  4,  which  are  not  balanced. 
However,  there  are  two  functions  with  correlation  immunity  n  —  1  in  these  tables.  These  are  the 
parity  functions,  which  are  balanced.  From  the  above  enumeration,  we  can  sum  the  functions 
with  correlation  immunity  greater  than  0,  and  thus  compute  the  number  of  correlation  immune 
functions  that  are  balanced.  These  are  the  resilient  functions.  The  result  is  shown  in  the  second 
line  in  Table  3.  The  values  are  identical  to  those  appearing  in  [19]  and  in  [16].  Le  Bars  and 
Viola  [16]  have  also  determined  that  there  are  23478015754788854439497622689296  1-resilient 
functions  for  n  =  7. 

Table  4:  Distribution  of  n-variable  balanced  functions  by  exact  resiliency,  k,  for  2  <  n  <  6. 


n  /  k 

0 

1 

2 

3 

4 

5 

6 

2 

4 

2 

0 

0 

0 

0 

0 

3 

62 

6 

2 

0 

0 

0 

0 

4 

12648 

212 

8 

2 

0 

0 

0 

5 

600272410 

807428 

540 

10 

2 

0 

0 

6 

1832120657223119734 

503483702719940 

16749696 

1150 

12 

2 

0 

A  function  /  is  rotation  symmetric  [11]  if  and  only  if  for  any  values  (xi,x2,  •  •  • ,  xn), 

f(xi,X  2,  ...,Xn)  =  f(x„,x  !,X2,  ■  •  -,xn- i),  (3) 

that  is,  the  function  is  invariant  under  rotation  of  indices. 

Example  2.  The  four  functions  /(x)  =  0,  /(x)  =  1,  /(x)  =  x\  ©  x2  ©  •  •  •  ©  xn,  and  /(x)  = 
1  ©  x\  ©  x2  ©  •  •  •  ©  xn  (for  all  x  G  Wtf)  are  all  rotation  symmetric. 

Table  5  shows  the  distribution  of  n-variable  balanced  functions  to  exact  correlation  immunity 
k  for  rotation  symmetric  functions.  The  fraction  of  all  functions  that  are  rotation  symmetric 
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Table  5:  Distribution  of  n-variable  rotation  symmetric  functions  versus  exact  correlation  immu¬ 
nity  k  and  n,  for  2  <  n  <  6. 


n  /  k 

0 

1 

2 

3 

4 

5 

6 

2 

4 

2 

2 

0 

0 

0 

0 

3 

10 

2 

2 

2 

0 

0 

0 

4 

48 

12 

0 

2 

2 

0 

0 

5 

214 

34 

4 

0 

2 

2 

0 

6 

14656 

1686 

36 

2 

0 

2 

2 

functions  is  small,  and  this  is  seen  in  the  table.  It  is  interesting  that,  for  correlation  immunity 
equal  to  n  and  n  —  1,  there  are  two  functions  for  all  values  of  n  shown.  This  is  because  all 
functions  with  these  values  of  correlation  immunity  are  rotation  symmetric.  Indeed,  all  of  these 
functions  are  symmetric,  which  is  a  subtype  of  rotation  symmetric  functions. 

Table  6  shows  the  distribution  of  4-variable  functions  as  a  function  of  both  correlation  im¬ 
munity  and  nonlinearity.  The  computation  of  the  nonlinearity  by  reconfigurable  computer  is 
described  in  [27].  So,  for  each  function  we  compute  its  correlation  immunity,  as  described  in 
this  paper  and  its  nonlinearity,  as  described  in  [27].  The  functions  with  largest  nonlinearity 
are  the  bent  functions;  for  n  =  4,  there  are  896  bent  functions.  As  with  the  distributions  dis¬ 
cussed  earlier,  the  majority  of  functions  have  a  correlation  immunity  of  0.  But,  in  this  table, 
it  can  be  seen  how  the  functions  are  distributed  according  to  nonlinearity.  Most  functions  have 
nonlinearity  near  the  middle  values,  3  through  5.  And,  most  of  these  are  concentrated  along 
the  value  of  correlation  immunity  equal  to  0.  It  is  interesting  that  the  largest  concentration  of 
functions  with  the  highest  correlation  immunity  (1  only)  and  relatively  high  nonlinearity  occur 
at  nonlinearity  4. 

Table  6:  Distribution  of  n-variable  functions  versus  exact  correlation  immunity  k  and  nonlin¬ 
earity  ( N ),  for  n  =  4. 


N  /  k 

0 

1 

2 

3 

4 

0 

8 

12 

8 

2 

2 

1 

512 

0 

0 

0 

0 

2 

3712 

128 

0 

0 

0 

3 

17920 

0 

0 

0 

0 

4 

27504 

496 

0 

0 

0 

5 

14336 

0 

0 

0 

0 

6 

896 

0 

0 

0 

0 

Table  7  shows  data  similar  to  that  of  Table  6  except  that  it  is  for  n  =  5.  Interestingly,  there 
are  a  relatively  substantial  number  of  functions,  that  is  384,  with  the  highest  nonlinearity  12 
and  moderate  correlation  immunity  2. 

Table  8  shows  the  distribution  of  4- variable  functions  versus  exact  correlation  immunity  k  and 
degree.  High  degree  in  Boolean  functions  is  a  desired  cryptographic  property.  The  computation 
of  degree  is  accomplished  using  the  “transeunt  triangle”  [27].  This  is  a  circuit  consisting  entirely 
of  exclusive  OR  gates  that  transforms  the  truth  table  of  a  function  to  its  ANF.  Additional  gates 
extract  from  the  ANF  a  binary  number  that  is  the  degree  of  the  function.  So,  for  each  function, 
we  compute  its  correlation  immunity,  as  described  in  this  paper  and  its  degree  as  described 
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Table  7:  Distribution  of  n- variable  functions  versus  exact  correlation  immunity  k  and  nonlin¬ 
earity  (N),  for  n  =  5. 


N  /  k 

0 

1 

2 

3 

4 

5 

0 

10 

20 

20 

10 

2 

2 

1 

2048 

0 

0 

0 

0 

0 

2 

31232 

512 

0 

0 

0 

0 

3 

317440 

0 

0 

0 

0 

0 

4 

2278400 

23040 

0 

0 

0 

0 

5 

12888064 

0 

0 

0 

0 

0 

6 

57873920 

122368 

0 

0 

0 

0 

7 

215414784 

0 

0 

0 

0 

0 

8 

645867160 

1799080 

640 

0 

0 

0 

9 

1362452480 

0 

0 

0 

0 

0 

10 

1411209216 

890880 

0 

0 

0 

0 

11 

556408832 

0 

0 

0 

0 

0 

12 

27083648 

303104 

384 

0 

0 

0 

here.  Table  9  shows  a  distribution  similar  to  that  of  Table  8  except  that  it  is  for  5-variable 
functions.  There  are  a  relatively  substantial  number  of  functions  (384)  with  moderate  degree 
(3)  and  moderate  exact  correlation  immunity  (2). 


Table  8:  Distribution  of  n- variable  functions  versus  correlation  immunity  k  and  degree  (Deg), 
for  n  =  4. 


Deg  /  k 

0 

1 

2 

3 

4 

0 

0 

0 

0 

0 

2 

1 

8 

12 

8 

2 

0 

2 

1712 

304 

0 

0 

0 

3 

30400 

320 

0 

0 

0 

4 

32768 

0 

0 

0 

0 

In  Table  10,  the  rows  for  d  <  3  were  computed  on  the  SRC-6.  This  was  combined  with 
the  count  of  2-correlation  immune  functions  to  complete  the  k  =  2  column.  Since  the  number 
of  1-correlation  immune  functions  is  known,  the  total  for  d  <  4  and  k  >  1  could  be  used  to 
complete  the  k  =  1  column.  The  remaining  column  was  determined  by  subtraction. 

Table  11  shows  the  time  it  takes  to  do  the  exhaustive  enumeration  across  4  variables.  The  first 
row  shows  that  0.655  msec,  is  needed  to  complete  the  enumeration  on  the  SRC-6  reconfigurable 
computer;  this  corresponds  to  one  function  per  clock  cycle  of  a  100  MHz  clock.  The  second  row 
shows  that  1,238.7  msec,  is  needed  when  a  C  program  is  compiled  into  Verilog  using  the  SRC-6’s 
compiler  and  run  on  the  SRC-6’s  FPGA  (Xilinx  Virtex-II  Series  6000).  The  third  row  shows 
that  190  msec,  is  needed  by  the  same  C  program  when  it  is  run  on  a  conventional  processor 
(the  SRC-6’s  2.8  GHz  Xeon  microprocessor).  The  small  time  required  in  the  case  of  a  Verilog 
program  shows  a  significant  advantage  in  using  the  large  logic  resources  of  an  FPGA.  Compared 
to  the  conventional  processor  time,  the  SRC-6  programmed  in  Verilog  has  a  190  times  speedup. 
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Table  9:  Distribution  of  n- variable  functions  versus  exact  correlation  immunity  k  and  degree 
(Deg),  for  n  =  5. 


Deg  /  k 

0 

1 

2 

3 

4 

5 

0 

0 

0 

0 

0 

0 

2 

1 

10 

20 

20 

10 

2 

0 

2 

59736 

5096 

640 

0 

0 

0 

3 

65478976 

1563968 

384 

0 

0 

0 

4 

2078804864 

1569920 

0 

0 

0 

0 

5 

2147483648 

0 

0 

0 

0 

0 

Table  10:  Distribution  of  n-variable  functions  versus  exact  correlation  immunity  k  and  degree 
(Deg),  for  n  =  6. 


Deg  /  k 

0 

1 

2 

3 

4 

5 

6 

0 

0 

0 

0 

0 

0 

0 

2 

1 

12 

30 

40 

30 

12 

2 

0 

2 

3760424 

417512 

15000 

1240 

0 

0 

0 

3 

4388747656096 

9270073536 

24586784 

384 

0 

0 

0 

4 

143859057441024156 

251732566372708 

21947904 

0 

0 

0 

0 

5 

9079005106896312932 

251741882607004 

0 

0 

0 

0 

0 

6 

9223372036854775808 

0 

0 

0 

0 

0 

0 

Total 

18446240589943529428 

503483719470790 

46549728 

1654 

12 

2 

2 

7  Concluding  Remarks 

Correlation  immunity  is  an  important  cryptographic  property  of  Boolean  functions.  We  show 
a  fast  circuit  that  allows  a  computation  of  correlation  immunity  of  Boolean  functions  at  a  rate 
of  10s  functions  per  second  on  the  SRC-6  reconhgurable  computer.  In  the  case  of  4-variable 
functions,  this  results  in  a  190  times  speedup  compared  to  a  conventional  computer.  For  the 
first  time  ever  we  are  able  to  find  the  distribution  of  6  variable  functions  versus  the  order  of 
correlation  immunity.  We  also  can  quickly  analyze  and  compare  Boolean  functions  on  the  basis 
of  their  cryptographic  properties.  Specifically,  we  compare  correlation  immunity  with  two  other 
cryptographic  properties,  nonlinearity  and  degree,  and  obtain  for  the  first  time,  a  complete 
distribution  of  such  functions  for  <  6  dimensions. 
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